myproject-aws-eks-terraform
Step 1: Install IAM Authenticator
$ brew install aws-iam-authenticator
$ aws-iam-authenticator help
Step 2: Create Variables File
#
# Variables Configuration
#
variable "cluster-name" {
default = "terraform-eks-demo"
type = "string"
}
Step 3: Create Base VPC Networking
#
# VPC Resources
# * VPC
# * Subnets
# * Internet Gateway
# * Route Table
#
resource "aws_vpc" "demo" {
cidr_block = "10.0.0.0/16"
tags = "${
map(
"Name", "terraform-eks-demo-node",
"kubernetes.io/cluster/${var.cluster-name}", "shared",
)
}"
}
resource "aws_subnet" "demo" {
count = 2
availability_zone = "${data.aws_availability_zones.available.names[count.index]}"
cidr_block = "10.0.${count.index}.0/24"
vpc_id = "${aws_vpc.demo.id}"
tags = "${
map(
"Name", "terraform-eks-demo-node",
"kubernetes.io/cluster/${var.cluster-name}", "shared",
)
}"
}
resource "aws_internet_gateway" "demo" {
vpc_id = "${aws_vpc.demo.id}"
tags = {
Name = "terraform-eks-demo"
}
}
resource "aws_route_table" "demo" {
vpc_id = "${aws_vpc.demo.id}"
route {
cidr_block = "0.0.0.0/0"
gateway_id = "${aws_internet_gateway.demo.id}"
}
}
resource "aws_route_table_association" "demo" {
count = 2
subnet_id = "${aws_subnet.demo.*.id[count.index]}"
route_table_id = "${aws_route_table.demo.id}"
}
Step 4: Create EKS Master: IAM Role to allow EKS Service to manage other AWS Services
resource "aws_iam_role" "demo-node" {
name = "terraform-eks-demo-cluster"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}
resource "aws_iam_role_policy_attachment" "demo-cluster-AmazonEKSClusterPolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
role = "${aws_iam_role.demo-node.name}"
}
resource "aws_iam_role_policy_attachment" "demo-cluster-AmazonEKSServicePolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
role = "${aws_iam_role.demo-node.name}"
}
Step 5: Create EKS Master: Security Group
resource "aws_security_group" "demo-cluster" {
name = "terraform-eks-demo-cluster"
description = "Cluster communication with worker nodes"
vpc_id = "${aws_vpc.demo.id}"
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
Name = "terraform-eks-demo"
}
}
# OPTIONAL: Allow inbound traffic from your local workstation external IP
# to the Kubernetes. You will need to replace A.B.C.D below with
# your real IP. Services like icanhazip.com can help you find this.
resource "aws_security_group_rule" "demo-cluster-ingress-workstation-https" {
cidr_blocks = ["A.B.C.D/32"]
description = "Allow workstation to communicate with the cluster API Server"
from_port = 443
protocol = "tcp"
security_group_id = "${aws_security_group.demo-cluster.id}"
to_port = 443
type = "ingress"
}
Step 6: Create EKS Master: Cluster
resource "aws_eks_cluster" "demo" {
name = "${var.cluster-name}"
role_arn = "${aws_iam_role.demo-node.arn}"
vpc_config {
security_group_ids = ["${aws_security_group.demo-cluster.id}"]
subnet_ids = ["${aws_subnet.demo.*.id}"]
}
depends_on = [
"aws_iam_role_policy_attachment.demo-cluster-AmazonEKSClusterPolicy",
"aws_iam_role_policy_attachment.demo-cluster-AmazonEKSServicePolicy",
]
}
Step 7: Deploy Infra: Master Node
$ terraform init
$ terraform plan
$ terraform apply
Step 8: Setup Kubectl client
$aws eks update-kubeconfig --name terraform-eks-demo
Step 9: Verify the binaries are in the path and executable
$ for command in kubectl aws-iam-authenticator
do
which $command &>/dev/null && echo "$command in path" || echo "$command NOT FOUND"
done
Step 10: Create EKS Worker Node: IAM Role and Instance Profile allowing Kubernetes
resource "aws_iam_role" "demo-cluster" {
name = "terraform-eks-demo-cluster"
assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
POLICY
}
resource "aws_iam_role_policy_attachment" "demo-cluster-AmazonEKSClusterPolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
role = aws_iam_role.demo-node.name
}
resource "aws_iam_role_policy_attachment" "demo-cluster-AmazonEKSServicePolicy" {
policy_arn = "arn:aws:iam::aws:policy/AmazonEKSServicePolicy"
role = aws_iam_role.demo-node.name
}
Step 11: Create EKS Worker Node: Security Group
resource "aws_security_group" "demo-node" {
name = "terraform-eks-demo-node"
description = "Security group for all nodes in the cluster"
vpc_id = aws_vpc.demo.id
egress {
from_port = 0
to_port = 0
protocol = "-1"
cidr_blocks = ["0.0.0.0/0"]
}
tags = {
"Name" = "terraform-eks-demo-node"
"kubernetes.io/cluster/${var.cluster-name}" = "owned"
}
}
resource "aws_security_group_rule" "demo-node-ingress-self" {
description = "Allow node to communicate with each other"
from_port = 0
protocol = "-1"
security_group_id = aws_security_group.demo-node.id
source_security_group_id = aws_security_group.demo-node.id
to_port = 65535
type = "ingress"
}
resource "aws_security_group_rule" "demo-node-ingress-cluster" {
description = "Allow worker Kubelets and pods to receive communication from the cluster control plane"
from_port = 1025
protocol = "tcp"
security_group_id = aws_security_group.demo-node.id
source_security_group_id = aws_security_group.demo-cluster.id
to_port = 65535
type = "ingress"
}
Step 12: Worker Node Access to EKS Master Cluster
resource "aws_security_group_rule" "demo-cluster-ingress-node-https" {
description = "Allow pods to communicate with the cluster API Server"
from_port = 443
protocol = "tcp"
security_group_id = aws_security_group.demo-cluster.id
source_security_group_id = aws_security_group.demo-node.id
to_port = 443
type = "ingress"
}
Step 13: Worker Node AutoScaling Group (AMI, AutoScaling Launch Configuration, AutoScaling Group)
data "aws_ami" "eks-worker" {
filter {
name = "name"
values = ["amazon-eks-node-${aws_eks_cluster.demo.version}-v*"]
}
most_recent = true
owners = ["602401143452"] # Amazon EKS AMI Account ID
}
# This data source is included for ease of sample architecture deployment
# and can be swapped out as necessary.
data "aws_region" "current" {
}
# EKS currently documents this required userdata for EKS worker nodes to
# properly configure Kubernetes applications on the EC2 instance.
# We implement a Terraform local here to simplify Base64 encoding this
# information into the AutoScaling Launch Configuration.
# More information: https://docs.aws.amazon.com/eks/latest/userguide/launch-workers.html
locals {
demo-node-userdata = <<USERDATA
#!/bin/bash
set -o xtrace
/etc/eks/bootstrap.sh --apiserver-endpoint '${aws_eks_cluster.demo.endpoint}' --b64-cluster-ca '${aws_eks_cluster. demo.certificate_authority[0].data}' '${var.cluster-name}'
USERDATA
}
resource "aws_launch_configuration" "demo" {
associate_public_ip_address = true
iam_instance_profile = aws_iam_instance_profile.demo-node.name
image_id = data.aws_ami.eks-worker.id
instance_type = "m4.large"
name_prefix = "terraform-eks-demo"
security_groups = [aws_security_group.demo-node.id]
user_data_base64 = base64encode(local.demo-node-userdata)
lifecycle {
create_before_destroy = true
}
}
resource "aws_autoscaling_group" "demo" {
desired_capacity = 2
launch_configuration = aws_launch_configuration.demo.id
max_size = 2
min_size = 1
name = "terraform-eks-demo"
vpc_zone_identifier = [aws_subnet.demo.*.id]
tag {
key = "Name"
value = "terraform-eks-demo"
propagate_at_launch = true
}
tag {
key = "kubernetes.io/cluster/${var.cluster-name}"
value = "owned"
propagate_at_launch = true
}
}
Step 14: Required Kubernetes Configuration to Join Worker Nodes
Run terraform output config_map_aws_auth and save the configuration into a file, e.g. config_map_aws_auth.yaml
Run kubectl apply -f config_map_aws_auth.yaml
You can verify the worker nodes are joining the cluster via: kubectl get nodes --watch
locals {
config_map_aws_auth = <<CONFIGMAPAWSAUTH
apiVersion: v1
kind: ConfigMap
metadata:
name: aws-auth
namespace: kube-system
data:
mapRoles: |
- rolearn: ${aws_iam_role.demo-node.arn}
username: system:node:{{EC2PrivateDNSName}}
groups:
- system:bootstrappers
- system:nodes
CONFIGMAPAWSAUTH
}
output "config_map_aws_auth" {
value = local.config_map_aws_auth
}
Step 15: Modify Infra to add Worker Node
$ terraform init
$ terraform plan
$ terraform apply